Based on customer feedback and a further review of the CVSS v2 specifications, Qualys has decided to change the CVSS v2 values to "Partial" for both Confidentiality and Integrity for QIDs 38169, 38173, and 38167, resulting in a CVSS v2 base score of 6.4 for all three.

We believe this aligns more accurately with the definitions for "Partial" for both of these metrics:

Confidentiality - Partial: "There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database."

Integrity - Partial: "Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. For example, system or application files may be overwritten or modified, but either the attacker has no control over which files are affected or the attacker can modify files within only a limited context or scope."

In a man-in-the-middle attack, the attacker cannot modify the scope of the affected service, without relying on an additional vulnerability or weakness. Because we are basing this CVSS score on the threat of a MITM, we are changing the score to more accurately align with the CVSS v2 specs.

Summary

Qualys had initially scored QIDs 38169, 38173, and 38167 Confidentiality and Integrity vectors as “Complete” resulting in CVSS v2 base score of 9.4 for all three.

Effective April 2, 2019, Qualys will revise the Confidentiality and Integrity vectors as “Partial” resulting in new CVSS v2 base score of 6.4 for all three.